Merge pull request #184 from rostilos/1.5.7-rc

feat: Enhance error sanitization and add tests for provider error mes…

Author: rostilos

java-ecosystem/services/pipeline-agent/src/main/java/org/rostilos/codecrow/pipelineagent/generic/processor/WebhookAsyncProcessor.java

@@ -22,6 +22,8 @@
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
+import java.util.Map;
+
 /**
  * Service for processing webhooks asynchronously.
  * 
@@ -141,11 +143,9 @@ public void processWebhookInTransaction(
 
             // Create event consumer that logs to job
             log.info("Calling handler.handle for job {}", job.getExternalId());
-            WebhookHandler.WebhookResult result = handler.handle(payload, project, event -> {
-                String message = (String) event.getOrDefault("message", "Processing...");
-                String state = (String) event.getOrDefault("state", "processing");
-                jobService.info(job, state, message);
-            });
+            WebhookHandler.WebhookResult result = handler.handle(payload, project, event ->
+                    logHandlerEvent(job, event)
+            );
             log.info("handler.handle completed for job {}, result status={}", job.getExternalId(), result.status());
 
             // Check if the webhook was ignored (e.g., branch not matching pattern, analysis disabled)
@@ -273,6 +273,19 @@ public void processWebhookInTransaction(
             }
         }
     }
+
+    private void logHandlerEvent(Job job, Map<String, Object> event) {
+        String message = String.valueOf(event.getOrDefault("message", "Processing..."));
+        String state = String.valueOf(event.getOrDefault("state", "processing"));
+        String type = String.valueOf(event.getOrDefault("type", "info"));
+
+        switch (type) {
+            case "error", "failed" -> jobService.error(job, state, message);
+            case "warning", "warn" -> jobService.warn(job, state, message);
+            case "debug" -> jobService.debug(job, state, message);
+            default -> jobService.info(job, state, message);
+        }
+    }
 
     /**
      * Initialize lazy associations that will be needed during webhook processing.

python-ecosystem/inference-orchestrator/src/llm/llm_factory.py

@@ -163,6 +163,9 @@ def _normalize_cloudflare_chat_payload(payload: dict[str, Any]) -> dict[str, Any
     arrays in `messages[*].content`. It also expects tool-calling assistant messages
     to use `content: null`, matching OpenAI's own tool-call transcript shape.
     """
+    payload = dict(payload)
+    payload.pop("parallel_tool_calls", None)
+
     messages = payload.get("messages")
     if not isinstance(messages, list):
         return payload

python-ecosystem/inference-orchestrator/src/utils/error_sanitizer.py

@@ -3,12 +3,94 @@
 Removes sensitive technical details like API keys, quotas, and internal stack traces.
 """
 
+import ast
 import re
 import logging
 
 logger = logging.getLogger(__name__)
 
 
+def _redact_sensitive(text: str) -> str:
+    """Remove common secret-bearing fragments from an error message."""
+    text = re.sub(r'sk-[a-zA-Z0-9]{20,}', '[API_KEY_REDACTED]', text)
+    text = re.sub(
+        r'api[_-]?key["\s:=]+["\']?[a-zA-Z0-9-_]+["\']?',
+        '[API_KEY_REDACTED]',
+        text,
+        flags=re.IGNORECASE,
+    )
+    text = re.sub(
+        r'authorization["\s:=]+["\']?bearer\s+[a-zA-Z0-9._-]+["\']?',
+        '[AUTHORIZATION_REDACTED]',
+        text,
+        flags=re.IGNORECASE,
+    )
+    return text
+
+
+def _message_from_payload(payload) -> str | None:
+    """Extract a provider-facing message from nested error payloads."""
+    if isinstance(payload, dict):
+        for key in ("message", "detail"):
+            value = payload.get(key)
+            if isinstance(value, str) and value.strip():
+                return value.strip()
+
+        error = payload.get("error")
+        if isinstance(error, str) and error.strip():
+            return error.strip()
+        if isinstance(error, dict):
+            message = _message_from_payload(error)
+            if message:
+                return message
+
+        errors = payload.get("errors")
+        if isinstance(errors, list):
+            for item in errors:
+                message = _message_from_payload(item)
+                if message:
+                    return message
+
+    if isinstance(payload, list):
+        for item in payload:
+            message = _message_from_payload(item)
+            if message:
+                return message
+
+    return None
+
+
+def _extract_provider_error_message(error_message: str) -> str | None:
+    """Parse common OpenAI-compatible provider exception bodies."""
+    error_lower = error_message.lower()
+    if not any(marker in error_lower for marker in (
+        "error code:",
+        "badrequesterror",
+        "apiresponsevalidationerror",
+        "status code",
+    )):
+        return None
+
+    start = error_message.find("{")
+    end = error_message.rfind("}")
+    if start == -1 or end <= start:
+        return None
+
+    try:
+        payload = ast.literal_eval(error_message[start:end + 1])
+    except (SyntaxError, ValueError):
+        return None
+
+    provider_message = _message_from_payload(payload)
+    if not provider_message:
+        return None
+
+    provider_message = _redact_sensitive(provider_message)
+    if len(provider_message) > 180:
+        provider_message = provider_message[:177].rstrip() + "..."
+    return provider_message
+
+
 def sanitize_error_for_display(error_message: str) -> str:
     """
     Sanitize error messages for user display.
@@ -24,6 +106,20 @@ def sanitize_error_for_display(error_message: str) -> str:
         return "An unexpected error occurred during processing."
 
     error_lower = error_message.lower()
+
+    provider_message = _extract_provider_error_message(error_message)
+    if provider_message:
+        if any(term in provider_message.lower() for term in (
+            "tool",
+            "function",
+            "parallel_tool_calls",
+            "tools",
+        )):
+            return (
+                "The AI provider rejected CodeCrow's tool-calling request: "
+                f"{provider_message}"
+            )
+        return f"The AI provider rejected the request: {provider_message}"
 
     # AI provider quota/rate limit errors
     if any(term in error_lower for term in ["quota", "rate limit", "rate_limit", "429", "exceeded", "too many requests"]):
@@ -135,10 +231,7 @@ def sanitize_error_for_display(error_message: str) -> str:
 
     # If it looks safe, return a cleaned version
     # Remove any potential API keys or tokens
-    sanitized = re.sub(r'sk-[a-zA-Z0-9]{20,}', '[API_KEY_REDACTED]', error_message)
-    sanitized = re.sub(r'api[_-]?key["\s:=]+["\']?[a-zA-Z0-9-_]+["\']?', '[API_KEY_REDACTED]', sanitized, flags=re.IGNORECASE)
-    
-    return sanitized
+    return _redact_sensitive(error_message)
 
 
 def create_user_friendly_error(error: Exception) -> str:

python-ecosystem/inference-orchestrator/tests/test_error_sanitizer.py

@@ -102,6 +102,25 @@ def test_json_structure(self):
         result = sanitize_error_for_display('{"error": "something"}')
         assert "error occurred" in result.lower()
 
+    def test_provider_error_message_extracted(self):
+        msg = (
+            "Error code: 400 - {'errors': [{'message': "
+            "'Request body has an unknown field: parallel_tool_calls'}], "
+            "'success': False}"
+        )
+        result = sanitize_error_for_display(msg)
+        assert "tool-calling" in result.lower()
+        assert "parallel_tool_calls" in result
+
+    def test_provider_error_message_redacts_keys(self):
+        msg = (
+            "Error code: 401 - {'error': {'message': "
+            "'Invalid API key sk-abcdefghijklmnopqrstuvwxyz1234'}}"
+        )
+        result = sanitize_error_for_display(msg)
+        assert "sk-" not in result
+        assert "REDACTED" in result
+
     # Very long message
     def test_long_message_truncated(self):
         result = sanitize_error_for_display("A" * 300)

python-ecosystem/inference-orchestrator/tests/test_llm_factory.py

@@ -242,6 +242,7 @@ def test_coerce_content_blocks_to_text(self):
 
     def test_normalize_cloudflare_payload_content_blocks_and_tool_calls(self):
         payload = {
+            "parallel_tool_calls": False,
             "messages": [
                 {"role": "system", "content": [{"type": "text", "text": "sys"}]},
                 {"role": "user", "content": [{"type": "text", "text": "question"}]},
@@ -260,6 +261,7 @@ def test_normalize_cloudflare_payload_content_blocks_and_tool_calls(self):
         assert normalized["messages"][1]["content"] == "question"
         assert normalized["messages"][2]["content"] is None
         assert normalized["messages"][3]["content"] == "result"
+        assert "parallel_tool_calls" not in normalized
 
 
 # ── Constants ────────────────────────────────────────────────────